Bug#308258: vim: 'set secure' isn't for own files; docs misleading.

jamessan@jamessan.com, 308258@bugs.debian.org jamessan@jamessan.com, 308258@bugs.debian.org
Sun, 8 May 2005 23:05:45 -0400 

--Yylu36WmvOXNoKYn
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline

On Sun, May 08, 2005 at 09:07:44PM -0400, Adrian Irving-Beer wrote:
> Taken from the help docs for the 'secure' option:
>
>     [. . .] On Unix this option is only used if the ".vimrc" or
>     ".exrc" is not owned by you.  This can be dangerous if the systems
>     allows users to do a "chown".  You better set 'secure' at the end
>     of your ~/.vimrc then.
>
> The last sentence doesn't make any sense; no matter where or when you
> set it, it has no effect on the execution of one's own .vimrc or
> .exrc files.

It's not supposed to affect that.  If a user can't trust that their own
.vimrc/.exrc files aren't being tampered with, then they have a larger
issue at hand.

> Unpacking a tarball, checking out files via CVS or any other SCM,
> etc., all create files owned only by the current user.  These can
> contain .vimrc's or .exrc's with malicious instructions that will be
> executed without restriction.

These are all actions that the user has control of and they should know
whether a .vimrc or .exrc file is being placed on their system.  The
problem this option is trying to prevent is when someone else is able to
create said files without the user's knowledge.

> The docs are misleading in this regard; I thought I was "secure" (so
> to speak) for years, and only just discovered I was an accident
> waiting to happen.

It's only an accident waiting to happen if the user isn't paying
attention to what files they're putting on their system and what the
contents of those files are, especially when they know they have an
option enabled in their editor that automatically sources those files.

> Wishlist item:
>
>    There's currently no way to distinguish a 'benign' .vimrc (e.g.
>    official project indent settings) from a 'hostile' .vimrc (shell
>    and write commands).  The 'secure' option would be ideal for this,
>    if only it or a new sister option would enforce 'secure' rules on
>    *all* .vimrc and .exrc files.
>
> (If the doc bug is fixed without a true self-included 'secure' mode,
> we can rename this report and reclassify it as a wishlist item, or I
> can just submit a new one.)

Note, I'm not disagreeing with the idea of an additional "super"-secure
option which would enforce these restrictions regardless of who owns the
.vimrc or .exrc.

As far as this bug is concerned, here's the summary of my thoughts:
a) 'exrc' has to be enabled for anything to be a problem and the help
for that option warns about possible security issues.

b) Files owned by the current user will have been placed there by the
current user and that user should know to investigate anything that may
compromise their security, such as spurious .vimrc/.exrc files when they
have 'exrc' enabled.

c) Files owned by other users may (most likely will?) have been placed
on the system without the current user's knowledge.  Even this isn't a
problem unless the user has the 'exrc' option enabled.  If they do have
the 'exrc' option enabled, then they should know about the 'secure'
option since it's mentioned in the help for 'exrc'.

James
--
GPG Key: 1024D/61326D40 2003-09-02 James Vega <jamessan@jamessan.com>

--Yylu36WmvOXNoKYn
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iEYEARECAAYFAkJ+04kACgkQDb3UpmEybUAzBQCcD/eCE81zAMYTyZdVUuct186g
IrUAnREn7sNmGHNXUD50ztZu69ttoowo
=6Pdk
-----END PGP SIGNATURE-----

--Yylu36WmvOXNoKYn--